Wes Modes wrote:
In general, I am trying to authenticate a login and password received via an OpenLDAP client (in this case SMB via the smbldap-tools)
Strictly speaking smbldap-tools is not an OpenLDAP client. It's a separate software not implemented by the OpenLDAP project.
See also these links found with Google: https://gna.org/projects/smbldap-tools/ http://www.iallanis.info/smbldap-tools/docs/smbldap-tools/
with the logins and passwords held in a Kerberos server elsewhere.
I don't know smbldap-tools. But I'm not sure if the user invoking the tools is really the user who accesses the OpenLDAP server. Could it be that the user accessing the OpenLDAP server is a pre-configured demon user account in the LDAP server which acts on behalf of the user?
I thought it was possible that I could have an ldap-bind request referred via SASL/GSSAPI to do a Kerberos authentication.
Depends on what the smbldap-tools are capable to do.
But on the Kerberos list, here's the response I got.
A KDC does not speak GSSAPI nor SASL. A KDC issues tickets. You use SASL-GSSAPI-KRB5 when you want to establish an authenticated connection to an application service for which a service principal exists within the KDC database. The KDC is not an application service. As Jeff pointed out, [you can't do that] with GSSAPI. What you might be looking for is slapd code to take a username and password and do in effect a kinit and a verify tgt, or have a sasl plugin do it for your. I don't know of one.
You have to check whether the smbldap-tools are capable of authenticating as the user who started the tools with SASL bind with GSSAPI mech using the TGT the user obtained from the KDC before (via kinit).
Glancing over the docs I doubt it works that way: http://www.iallanis.info/smbldap-tools/docs/smbldap-tools/#htoc12
But I don't know the software. Check yourself more thoroughly...
Ciao, Michael.